Microsoft has released its monthly batch of security updates that fix at least 55 vulnerabilities across a wide range of its products, including Windows and its components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office ant others.
November 2021 Patch Tuesday also includes fixes for two zero-day flaws actively exploited in the wild. The two under-attack vulnerabilities impact Microsoft Exchange Server and Microsoft Excel products.
The Microsoft Exchange vulnerability (CVE-2021-42321) is described as an input validation error that exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system.
“We are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019,” Microsoft said, adding that the bug affects on-premises Microsoft Exchange Server, including servers used in Exchange Hybrid mode.
"Our recommendation is to install these updates immediately to protect your environment," Microsoft urged.
The second zero-day flaw (CVE-2021-42292) resides in Microsoft Excel and allows a remote attacker to execute arbitrary code on the system with the help of a specially crafted Excel file.
The Windows maker has also fixed four publicly disclosed vulnerabilities not known to be exploited in cyberattacks:
CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability
CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability
The November Patch Tuesday updates also include fixes for high-risk flaws affecting Azure, Microsoft Edge, Windows Defender, Visual Studio and multiple Windows components.